Are you unsure if and how your organization needs to comply with SOX in respect to outsourced business functions and processes?
There's plenty of confusion about outsourcing processes, from application development and Web hosting to broad finance and accounting business-process outsourcing (BPO). Such confusion, coupled with SOX compliance, may slow your organization’s compliance efforts and unnecessarily influence your decisions to limit, postpone, or cancel outsourcing.
By Susan Jendrey
___________________________________________________________________
While SOX has clear expectations for internal controls and the need for reporting material variances in real-time laid out (in Sections 404 and 409), nothing in the act itself specifically addresses compliance requirements for outsourced business and IT functions and processes.
What does this mean for the IT executive? If you are currently outsourcing or considering outsourcing, how will this affect your firm’s ability to comply with SOX? Since the original publication date of the Act, what standards have been written to outline compliance requirements when outsourcing to service organizations?
Deputy chief accountant Andrew Bailey and professional accounting fellow Nancy Salisbury, both with the U.S. Securities and Exchange Commission, outlined three publications to help clarify outsourcing and SOX compliance (see links at end of article).
According to Salisbury, the Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 2, Appendix B, paragraphs B18 - B29 also speak to what management needs to do. “If auditors have to do attest to certain standards, then management has to do at least that much.”
First, organizations need to ensure that their outsourced business and IT functions and processes comply with SOX Section 404 (Internal Controls). On March 9, 2004, in a very clear response, PCAOB (fondly referred to as peek-a-boo) issued a written statement, in which it noted, “The use of a service organization does not reduce management’s responsibility to maintain effective internal control over financial reporting.”
___________________________________________________________________________
Second, on June 18, 2004, the SEC approved the PCAOB Auditing Standard No. 2, “An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements.” The standard addresses both the work required to audit internal control over financial reporting as well as the relationship of that audit to the audit of the financial statements. In this document, PCAOB states that Statement of Auditing Standards No. 70 (SAS 70), Service Organizations (AU section 324) applies to the audit of financial statements of a company that obtains services from another organization that are part of its information system.
A service organization’s services are part of a company’s information system if they affect any of the following:
The classes of transactions in the company’s operations that is significant to the company’s financial statements
The procedures, both automated and manual, by which the company’s transactions are initiated, authorized, recorded, processed, and reported from their incurrence to their inclusion in the financial statements
The related accounting records, whether electronic or manual, supporting information and specific accounts in the company’s financial statements involved in initiating, authorizing, and recording, processing, and reporting the company’s transactions
How the company’s information system captures other events and conditions that are significant to the financial statements
The financial reporting process used to prepare the company’s financial statements, including significant accounting estimates and disclosures Furthermore, Auditing Standard No. 2 indicates that evidence about the operating effectiveness of controls at a service organization can be obtained from a Type 2 SAS No. 70 report. The "Staff Questions and Answers" (see links below) outlines what to do if the report is issued more than six months prior to the date of management’s assessment. Lastly, the auditor of the service organization can be the same as the auditor of the user organization.
________________________________________________________________________
Even after reading the follow-up documentation provided by the SEC and PCAOB, some individuals will be disappointed that there is no specific checklist to ensure compliance. According to Lee Dittmar, principal with Deloitte Consulting LLP, “They will be missing the point. Section 404 is principle-based regulation, not rule-based. There could be more than one way to comply. Individuals need to apply sound business practices that best fit their company’s situation. And, they need to focus on the spirit not just the letter of the law.”
With respect to IT, Dittmar notes that “SOX presents four key categories of impact: (1) application-level controls, (2) general computer-level controls, (3) new functionality to support first-year compliance, and (4) changes and improvements to enable ongoing compliance.
"Management needs to take second and third looks at outsourcing arrangements and agreements. They cannot become complacent because they have obtained a piece of paper covering the first year. It will become critical to revisit terms and conditions of contracts with outsourcers through the lens of SOX.”
When asked how organizations are actually applying these guidelines, Deloitte national director of SAS 70 services Bruce Marcus replies, “Service organizations now have a heightened awareness that internal controls within their organization affect their customers [user organizations]. One of the ways [a] service organization [has] been able to demonstrate effectiveness of [its] internal controls is by issuing a SAS 70 Type 2 report.
_____________________________________________________________________
“During the audit process, if an outsourced process or function is deemed critical to financial controls or financial statements, we assess not only controls in the service organization but also complimentary controls in the user organization.”
Some organizations are finding that they need to supplement SAS 70 reports for Section 404 outsourcing compliance. Bruce Winters, a CPA and leader in the systems and process assurance practice at PricewaterhouseCoopers, adds, “Some organizations are sending in either their own internal auditors, their external auditors, or, in some cases, asking the service bureau to do additional testing. They want tests conducted specific to their company, not just a general assessment of the service provider.
“For example, organizations may want outsourcers to conduct tests specific to the servers and machines that their applications are run on. They want to know what problems they’ve had and how those problems are being tested. Additionally, organizations are looking at physical or logical security, segregation of duties (development separate from operations), and at specific applications outsourced to service providers.”
Keep in mind, Winters continues, that “SAS 70 was created for auditors. It provides guidelines for a service bureau audit so that other auditors can rely on it. (Imagine if all of ADP’s customers had to conduct a separate audit of ADP.) Very basic stuff is covered in SAS 70 audits. Not a lot of meat goes into those reports. Now that companies are relying on SAS 70 for Section 404 compliance, it’s becoming a different story.”
The bottom line: SAS 70 provides basic guidelines. Managers whose organizations outsource need to assure adequate financial controls assessment for relevant outsourced processes. Work with your auditors to determine if outsourced functions warrant SAS 70 Type 2 reports and/or additional, custom tests.
_________________________________________________________________________
Credits:
PCAOB Bylaws and Rules-Standards, Auditing Standard No. 2 -- An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, March 9, 2004, Appendix B, Paragraphs B18 through B29
PCAOB Staff Questions and Answers—Auditing Control over Financial Reporting, June 23, 2004, Questions 24 through 27
American Institute of Certified Public Accountants Professional Standards AU 324, Service Organizations
___________________________________________________________________________
By Susan Jendrey
___________________________________________________________________
While SOX has clear expectations for internal controls and the need for reporting material variances in real-time laid out (in Sections 404 and 409), nothing in the act itself specifically addresses compliance requirements for outsourced business and IT functions and processes.
What does this mean for the IT executive? If you are currently outsourcing or considering outsourcing, how will this affect your firm’s ability to comply with SOX? Since the original publication date of the Act, what standards have been written to outline compliance requirements when outsourcing to service organizations?
Deputy chief accountant Andrew Bailey and professional accounting fellow Nancy Salisbury, both with the U.S. Securities and Exchange Commission, outlined three publications to help clarify outsourcing and SOX compliance (see links at end of article).
According to Salisbury, the Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 2, Appendix B, paragraphs B18 - B29 also speak to what management needs to do. “If auditors have to do attest to certain standards, then management has to do at least that much.”
First, organizations need to ensure that their outsourced business and IT functions and processes comply with SOX Section 404 (Internal Controls). On March 9, 2004, in a very clear response, PCAOB (fondly referred to as peek-a-boo) issued a written statement, in which it noted, “The use of a service organization does not reduce management’s responsibility to maintain effective internal control over financial reporting.”
___________________________________________________________________________
Second, on June 18, 2004, the SEC approved the PCAOB Auditing Standard No. 2, “An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements.” The standard addresses both the work required to audit internal control over financial reporting as well as the relationship of that audit to the audit of the financial statements. In this document, PCAOB states that Statement of Auditing Standards No. 70 (SAS 70), Service Organizations (AU section 324) applies to the audit of financial statements of a company that obtains services from another organization that are part of its information system.
A service organization’s services are part of a company’s information system if they affect any of the following:
The classes of transactions in the company’s operations that is significant to the company’s financial statements
The procedures, both automated and manual, by which the company’s transactions are initiated, authorized, recorded, processed, and reported from their incurrence to their inclusion in the financial statements
The related accounting records, whether electronic or manual, supporting information and specific accounts in the company’s financial statements involved in initiating, authorizing, and recording, processing, and reporting the company’s transactions
How the company’s information system captures other events and conditions that are significant to the financial statements
The financial reporting process used to prepare the company’s financial statements, including significant accounting estimates and disclosures Furthermore, Auditing Standard No. 2 indicates that evidence about the operating effectiveness of controls at a service organization can be obtained from a Type 2 SAS No. 70 report. The "Staff Questions and Answers" (see links below) outlines what to do if the report is issued more than six months prior to the date of management’s assessment. Lastly, the auditor of the service organization can be the same as the auditor of the user organization.
________________________________________________________________________
Even after reading the follow-up documentation provided by the SEC and PCAOB, some individuals will be disappointed that there is no specific checklist to ensure compliance. According to Lee Dittmar, principal with Deloitte Consulting LLP, “They will be missing the point. Section 404 is principle-based regulation, not rule-based. There could be more than one way to comply. Individuals need to apply sound business practices that best fit their company’s situation. And, they need to focus on the spirit not just the letter of the law.”
With respect to IT, Dittmar notes that “SOX presents four key categories of impact: (1) application-level controls, (2) general computer-level controls, (3) new functionality to support first-year compliance, and (4) changes and improvements to enable ongoing compliance.
"Management needs to take second and third looks at outsourcing arrangements and agreements. They cannot become complacent because they have obtained a piece of paper covering the first year. It will become critical to revisit terms and conditions of contracts with outsourcers through the lens of SOX.”
When asked how organizations are actually applying these guidelines, Deloitte national director of SAS 70 services Bruce Marcus replies, “Service organizations now have a heightened awareness that internal controls within their organization affect their customers [user organizations]. One of the ways [a] service organization [has] been able to demonstrate effectiveness of [its] internal controls is by issuing a SAS 70 Type 2 report.
_____________________________________________________________________
“During the audit process, if an outsourced process or function is deemed critical to financial controls or financial statements, we assess not only controls in the service organization but also complimentary controls in the user organization.”
Some organizations are finding that they need to supplement SAS 70 reports for Section 404 outsourcing compliance. Bruce Winters, a CPA and leader in the systems and process assurance practice at PricewaterhouseCoopers, adds, “Some organizations are sending in either their own internal auditors, their external auditors, or, in some cases, asking the service bureau to do additional testing. They want tests conducted specific to their company, not just a general assessment of the service provider.
“For example, organizations may want outsourcers to conduct tests specific to the servers and machines that their applications are run on. They want to know what problems they’ve had and how those problems are being tested. Additionally, organizations are looking at physical or logical security, segregation of duties (development separate from operations), and at specific applications outsourced to service providers.”
Keep in mind, Winters continues, that “SAS 70 was created for auditors. It provides guidelines for a service bureau audit so that other auditors can rely on it. (Imagine if all of ADP’s customers had to conduct a separate audit of ADP.) Very basic stuff is covered in SAS 70 audits. Not a lot of meat goes into those reports. Now that companies are relying on SAS 70 for Section 404 compliance, it’s becoming a different story.”
The bottom line: SAS 70 provides basic guidelines. Managers whose organizations outsource need to assure adequate financial controls assessment for relevant outsourced processes. Work with your auditors to determine if outsourced functions warrant SAS 70 Type 2 reports and/or additional, custom tests.
_________________________________________________________________________
Credits:
PCAOB Bylaws and Rules-Standards, Auditing Standard No. 2 -- An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, March 9, 2004, Appendix B, Paragraphs B18 through B29
PCAOB Staff Questions and Answers—Auditing Control over Financial Reporting, June 23, 2004, Questions 24 through 27
American Institute of Certified Public Accountants Professional Standards AU 324, Service Organizations
___________________________________________________________________________
})();
 |
**All state laws apply. Certain federal laws may also apply. Contact us for more info at info@accws.com
___________________________________________________________ To obtain a free copy of any warranty by mail please send a request to: Warranty Requests at The Acc Warranty Group, 8888 Keystone Crossing, 13th Floor, Indianapolis Indiana 46240 stating your request along with your name and a self-addressed stamped envelope. We use the term "extended warranty" and "warranty"interchangeably with the term "service plan - extended service plan - vehicle service contract - service contract," variations thereof, or "VSC," throughout the web site.
* This is an overview of coverage only - not an actual warranty or service plan.
** You must refer to the actual vehicle service contract to obtain specific information about definitions; terms and conditions; coverages; benefits; claim instructions; exclusions; and special state requirements.
Definitions are explained in this site under Magnuson-Moss.
__________________________________________________________ **All Quotes are non-binding and are based upon the accuracy of information you have provided to us. **All applications are submitted to the administrator of their respective company for verification and acceptance.
__________________________________________________
**Some plans require an acceped vehicle inspection report prior to a claim being honored and/or a 30 day and 1000 mile waiting period.
______________________________________________
- File A Claim
- Mobile Service Request Form
- ACC Towing and RV Roadservice
- Service Contract Consulting
- ACC Partners
- About Us
- When To Buy A Warranty
- Tips For Buying A Used RV
- Shuttle Bus and Limousine Warranty
- Free RV Service Downloads
- News & Events
- Frequently Asked Questions
- Repair and Service Locator Directory
ACCWS on Facebook
Add to Google
